Check Point researchers discovered a security vulnerability in LG SmartThinQ smart home devices that allowed them to hijack internet-connected devices like refrigerators, ovens, dishwashers, air conditioners, dryers, and washing machines manufactured by LG.

...and what's worse?

Hackers could even remotely take control of LG's Hom-Bot, a camera-equipped robotic vacuum cleaner, and access the live video feed to spy on anything in the device's vicinity.

This hack doesn't even require hacker and targeted device to be on the same network.

Dubbed HomeHack, the vulnerability resides in the mobile app and cloud application used to control LG's SmartThinkQ home appliances, allowing an attacker to remotely gain control of any connected appliance controlled by the app.

This vulnerability could allow hackers to remotely log into the SmartThinQ cloud application and take over the victim's LG account, according to the researchers.

Watch the Video Demonstration of the HomeHack Attack:

The researchers demonstrated the risks posed by this vulnerability by taking control of an LG Hom-Bot, which comes equipped with a security camera and motion detection sensors and reportedly owned by over one million users.

You can watch the video posted by the Check Point researchers, which shows how easy it is to hijack the appliance and use it to spy on users and their homes.

The issue is in the way SmartThinQ app processes logins, and exploiting the issue only requires a hacker with a moderate skill to know the email address of the target, and nothing else.

Since hackers can merely bypass a victim's login using the HomeHack flaw, there is no need for them to be on the same network as the victim, and primary IoT security tips such as avoid using default credentials, and always use a secure password also fails here.

Also, such devices which are supposed to give users remote access from an app cannot be put behind a firewall to keep them away from the exposure on the Internet.

In order to perform this hack, the hacker needs a rooted device and requires to intercept the app traffic with the LG server.

However, the LG app has a built-in anti-root mechanism, which immediately closes if detects the smartphone is rooted, and SSL pinning mechanism, which restricts intercepting traffic.

So, to bypass both security features, Check Point researchers said hackers could first decompile the source of the app, remove the functions that enable SSL pinning and anti-root from the app's code, recompile the app and install it on their rooted device.

Now, hackers can run this tempered app on their rooted smartphone and can set up a proxy which could allow them to intercept the application traffic.

Here's How the HomeHack Attack Works:

Researchers analyzed the login process of the SmartThinQ app and found that it contains the following requests:

Authentication request – the user would enter his/her login credentials, which would be validated by the company's backend server.

Signature request – creates a signature based on the above-provided username (i.e. the email address), and this signature has nothing do with the password.

Token request – an access token for the user account is generated using the signature response as a header and username as a parameter.

Login request – sends the above-generated access token in order to allow the user to login to the account.

However, researchers found that there's no dependency between the first step and the subsequent two mentioned above.

So, an attacker could first use his/her username to pass step one, and then intercept the traffic in order to change the username to the victim's username for steps two and three, which would effectively grant the attacker access to the victim's account.

Once in control of the target account, the attacker can control any LG device or appliance associated with that account, including refrigerators, ovens, dishwashers, washing machines and dryers, air conditioners, and robot vacuum cleaners.

Hackers can then change the settings on the hacked devices, or can simply switch on or off.

This Is What You Can Do Now:

Researchers disclosed the vulnerability to LG on July 31 and the device manufacturer issued an update to patch the issue in September.

So, if you own any LG SmartThinQ appliance, you are strongly advised to update to the LG SmartThinQ mobile app to the latest version (1.9.23) through Google Play Store, Apple App Store or the LG SmartThinQ settings.

So are you also worried about hackers turning out your device into a covert listening device?

Just relax, if there's no NSA, no CIA or none of your above-skilled friends after you.

Since yesterday there have been several reports on Amazon Echo hack that could allow a hacker to turn your smart speaker into a covert listening device, but users don’t need to worry because the hack is not simple, requires physical access to the device and does not work on all devices, as well.

Amazon Echo is an always-listening voice-activated smart home speaker that is designed to play music, set alarms, answer questions via the Alexa voice assistant, and control connected smart home devices like WeMo, Hive and Nest.

Hack Turns Amazon Echo Into Spying Device (But It's Complex)

Now researchers from MWR InfoSecurity have demonstrated a hack, showing how hackers can exploit a vulnerability in some models of Amazon Echo to turn them into covert listening devices that can secretly record your most intimate moments.

But the hack is not simple and has some significant limitations:

The first major limitation of the Amazon Echo hack is that it does involve the hacker being able to gain physical access to the device, though, according to researchers, it is possible to tamper with the Echo without leaving any traces behind.

The second limitation is that the Amazon Echo hack works only against older models, as the vulnerability discovered by MWR researchers only affects the 2015 and 2016 versions of the AI-powered speaker.

Another major limitation to carry out this hack is that the attacker should be above average skills in Linux as well as embedded hardware systems.

In short, it is a very sophisticated hack that first requires James Bond to bypass all CCTV cameras, if you have, to stealthily gain physical access to your premises, and then at least 30 minutes spare time with the Amazon Echo to install the malware without leaving any traces of tampering.

In another scenario, as described by the researchers, your house cleaner or maid who has access to your device could also perform this attack, so the researchers dubbed the attack as "evil maid."

However, the 'evil maid' attack is not as impressive as it sounds because in such highly targeted scenario one can simply implant bugging devices with less effort, knowledge and time.

Hacking Amazon Echo: How It Works?

In order to carry out the evil maid hack, MWR Labs security researcher Mark Barnes first removed the Echo's rubber base on the bottom, which allowed them to access 18 debug "pads" Amazon engineers rely on to carry out various diagnostics.

Barnes then directly booted into the actual firmware of the device via an external SD card. From there, he was able to install persistent malware without leaving any physical traces of tampering with the device.

The malware then allowed the researcher to gain remote root shell access of the device, and ultimately access to the 'always listening' microphones.

"Once we'd root we examined the processes running on the device and the scripts that spawn these processes," Barnes wrote. "We were able to understand how audio media is being passed and buffered between processes and the tools that are used to create and interact with these audio buffers."

Barnes said his team then developed scripts that leveraged tools embedded on the Amazon Echo to continuously stream the raw microphone audio over TCP/IP to a remote server without affecting the actual functionality of the device itself.

This eventually means that hackers, at least theoretically, can covertly monitor and listen in on users conversations and steal private data without their permission or even realisation.

"The rooting of the Amazon Echo device in itself was trivial; however, it raises a number of important questions for manufacturers of Internet enabled or 'Smart Home' devices," Barnes added.

The researcher warned users from buying smart speakers from third-party retailers, along with advising them to push the Echo's mute button to disable the microphone physically.

In response to the MWR's findings, Amazon released a statement saying the best way for users to protect themselves from such tamperings is always to buy the Echo from the company directly.

"Customer trust is very important to us. To help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date," the company said.

Users owning 2017 models of the device are not affected by this latest hack, as the new models introduced a mitigation that joins two of the crucial debugging pads in a way that prevents the device from external booting.

What if I say that your cute, smart robotic vacuum cleaner is collecting data than just dirt?

During an interview with Reuters, the CEO of iRobot, the company which manufactured Roomba device, has revealed that the robotic vacuum cleaner also builds a map of your home while cleaning — and is now planning to sell this data to third-party companies.

I know it sounds really creepy, but this is what the iRobot company has planned with the home mapping data its Roomba robots collect on its users.

What is Roomba?

Manufactured by Massachusetts-based firm iRobot, Roomba is a cute little robotic vacuum cleaner — which ranges in price from $375 to $899 — that has been vacuuming up household dirt since 2002.

Early versions of Roomba used IR or laser sensors to avoid obstacles in their way, but the company began distributing high-end Wi-Fi-connected Roomba models from 2015, such as the Roomba 980, which includes a camera and Simultaneous Localisation And Mapping (SLAM) technology that can not only avoid obstacle but also build a map of your home.

And this has opened up new possibilities for the company.

What Data Roomba Collects and Why?

Roomba robots gather all kinds of data—from room dimensions and furniture position to distances between different objects placed in your room—that could help next-generation IoT devices to build a true smart home.

Angle believes mapping data could be used by other smart home devices—such as thermostats, lighting, air conditioner, personal assistant, and security cameras—to become smarter.

According to iRobot CEO Colin Angle, "there's an entire ecosystem of things and services that the smart home can deliver once you have a rich map of the home that the user has allowed to be shared."

Angle also told the publication that he is planning to push the company toward a broader vision of the smart home, and in the near future iRobot could sell your floor data with the business like Apple, Amazon, Microsoft and Google—but not without its users' consent.

Until now, your home data is private and is not being shared with any third-party company.

Why Would Companies be Interested in Your Floor-Plans?

By now, you must be thinking how your floor plans would be beneficial to companies like Apple, Amazon, Google or Microsoft?

The move has some obvious privacy concerns, but surprisingly, this could help other smart devices at your home to work more efficiently—for example:

The data could help tech companies like Amazon, Apple and Google to improve their smart home speakers to control the vacuum and make use of the acoustics to improve audio performance throughout the home.

Dimensional knowledge of the rooms could help Smart Air-conditioners to control airflow throughout the rooms.

Home mapping data could also help Apple’s ARKit developers to create new apps for room management and interior design.

Moreover, Microsoft, Apple, Amazon and Google are already chasing this kind of data to lead in the smart industry.

Concerns — Privacy And Security

Since 2015 when iRobot introduced the mapping technology in Roomba, the vacuum clear has not just been picking up dirt and dust, but they have also been mapping the layout of your home, which could be privacy concerns for many of its users.

According to its terms of service, the users already give the company permission to share their data with third party vendors and subsidiaries, and on government requests.

"We may share your information...Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services," the company's privacy policy reads.

Given these terms, it is possible for the company to sell its customers information in bulk with companies without notifying its users. And it is obvious that more you want your technology to be smart, more private data you are offering to companies.

Roomba is already compatible with Amazon's Alexa and Google's Home — Apple's HomePod speaker will soon join them — therefore, its CEO is planning to sell its maps to one or more of these 'Big Three' in the next couple of years.

Arkansas police are seeking help from e-commerce giant Amazon for data that may have been recorded on its Echo device belonging to a suspect in a murder case, bringing the conflict into the realm of the Internet of Things.

Amazon Echo is a voice-activated smart home speaker capable of controlling several smart devices by integrating it with a variety of home automation hubs. It can do tasks like play music, make to-do lists, set alarms, and also provide real-time information such as weather and traffic.

As first reported by The Information, authorities in Bentonville have issued a warrant for Amazon to hand over audio or records from an Echo device belonging to James Andrew Bates in the hope that they'll aid in uncovering additional details about the murder of Victor Collins.

Just like Apple refused the FBI to help them unlock iPhone belonging to one of the San Bernardino terrorists, Amazon also declined to give police any of the information that the Echo logged on its servers.

Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder.

As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system.

Always-ON Listening Feature

Echo typically sits in an idle state with its microphones constantly listening for the "wake" command like "Alexa" or "Amazon" before it begins recording and sending data to Amazon's servers.

However, due to its always-on feature, it's usual for the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded.

Some of those voice commands are not stored locally on Echo but are instead logged onto Amazon's servers.

Presumably, the authorities believe that those audio records that the Echo device might have picked up the night of the incident and uploaded to Amazon servers could contain evidence related to the case under investigation.

Amazon Refused (Twice) to Hand over its User's Data

Amazon, however, denied providing any data that the authorities need. Here's what a spokesperson for the company told CNBC:

"Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course."

While the online retail giant has twice refused to serve police the Echo data logged on its servers, Amazon did provide Bates' account information and purchase history.

The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.

According to court records, Bates' smart water meter shows that his home ran 140 gallons of water between 1 AM and 3 AM the night Collins was found dead in Bates' hot tub. The prosecution claims that the water was used to wash away evidence after he killed Collins.

Should Amazon Share the Data or Not?

The authorities in the Collins murder case are asking for data on Amazon's servers that could help bring a criminal to justice. If so, authorities should get access to it.

In the case of Apple vs. FBI, Apple was forced to write a backdoor software that could bypass the security mechanism built into its iPhone, while the company already handed over the data stored on its server.

The broader takeaway: IoT devices automating your habits at home could be used for or against you, legally.

The Collins murder case appears to be a first-of-its-kind, and we are very much sure to see more such cases in the future.

It will be interesting to see how the companies that make smart home devices would serve its customers while maintaining a balance between keeping their customers' privacy safe and aiding the process of justice.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

How many Internet-connected devices do you have in your home? I am surrounded by around 25 such devices.

It's not just your PC, smartphone, and tablet that are connected to the Internet. Today our homes are filled with tiny computers embedded in everything from security cameras, TVs and refrigerators to thermostat and door locks.

However, when it comes to security, people generally ignore to protect all these connected devices and focus on securing their PCs and smartphones with a good antivirus software or a firewall application.

What if any of these connected devices, that are poorly configured or insecure by design, get hacked?

It would give hackers unauthorized access to your whole network allowing them to compromise other devices connected to the same network, spy on your activities and steal sensitive information by using various sophisticated hacks.

IoT threats have risen enormously in past few months, especially DDoS-based botnets and ransomware attacks, which have shaken the digital world.

Can You Protect Your Entire Home Network?

While IoT manufacturers and Internet standard creators have a huge role to play in securing these vulnerable devices, consumers must also take some personal responsibility in protecting their own devices.

There are numerous security articles available on the Internet providing useful recommendations for securing your smart devices.

But when it comes to manually protecting all IoT security issues, it is not possible for all users, especially non-techies, to understand and fix them in with no time or effort. Moreover, it is also annoying to regular check and update every single device.

One Device to Secure Your Entire Home Network and Connected Devices

The new Bitdefender BOX is a tiny hardware-based security solution which is being designed in a way that includes network firewall, intrusion prevention system, vulnerability scanner and an antivirus solution.

Setting up the Bitdefender BOX is quite easy. This tiny box can be connected to your existing internet router to monitor all the Internet traffic and connected devices in real-time, preventing unauthorized access to your home network.

1. Network and Wi-Fi Security

Once connected, Bitdefender BOX automatically scans your network and makes a list of everything that is connected to it in order to protect and monitor things.

To identify known malicious patterns designed to disrupt or spy on you, Bitdefender BOX continually intercepts and scans for only essential parts of the data packets that flow in and out of your network.

One of the major benefits of Bitdefender BOX is that it automatically keeps an eye on every device that joins your network, whether it be you, a guest, or hacker.

When a new device logs into your network, Bitdefender BOX automatically alerts you with a pop-up on your phone, allowing you to quickly kick malicious users off your network with just a single tap.

Bitdefender BOX also provides antivirus protection via Bitdefender's cloud-based threat intelligence network for every device on your network, alerting you to every attempted intrusion or malware that comes from the Internet.

Bitdefender's Total Security Multi-Device (TSMD) is a complete cyber security solution that protects your standard devices – laptops, desktops, smartphones and tablets – across Windows, Mac OS, and Android platforms. Bitdefender BOX comes with a one-year subscription to TSMD, as well as the freedom to deploy it to an unlimited number of devices. That means you can protect every classic device in your network – all with this powerful, award-winning software.

However, what if you are not at home within the range of your home network?

Don't worry about it, because Bitdefender BOX will secure your device remotely outside of the range using a VPN (virtual private network) connection between the agent and BOX, routing all your traffic and analyzing it for any threat.

Bitdefender BOX also protects all your connected devices from man-in-the-middle (MITM) and other cyber-attacks when you connect to insecure networks, such as public Wi-Fi hotspots.

Bitdefender BOX also has Ransomware protection built in, protecting your network from ransomware attacks. Ransomware is a nasty program that locks your files and asks you ransom to be paid in Bitcoins, which is the only way to get back your files.

3. Built-in Vulnerability Assessment Tool

Bitdefender BOX also comes with a vulnerability scanner that scans every device on your home network to find any weak spots that can compromise the integrity of the network.

Bitdefender BOX checks for your password strength, firmware version and any vulnerability that can be used as a backdoor to gain remote access or unauthorized access to your connected devices or network equipment, steal your data or launch attacks.

If you want to review the status of your connected devices and address detected issues, just click the Vulnerable Devices button in the BOX app and keep your network safe.

4. Behavior-based Threat Detection

Want more? The BOX can also smell a rat.

Yes, this little gadget also notices the suspicious behavior of any device on your network and protects other devices on the same network from unauthorized access and tampering.

Most behavioral security solutions are usually designed for large, highly distributed networks run by large organizations and government agencies, but Bitdefender BOX brings the same level of security for your home network.

Bitdefender Active Threat Control has been designed to detect never-before-seen threats and classify advanced malware, including variants of known and unknown threat families, in real-time using machine learning and behavior-based threat analysis and improves security and privacy of your connected devices.

Bitdefender BOX – Should You Buy It?

With these impressive features, Bitdefender BOX is a win-win product for your smart home network, which guards and protects your home environment from every single threat, whether it's a hacker, malware, an intruder or a guest.

The BOX supports all devices running iOS 9 and later, Android 4.1 and later and Windows 7 (SP1) and later (32 and 64 bit).

Usually, Bitdefender BOX comes at $199, but the company is currently offering a $70 discount. So, you can buy it at $129.

Bitdefender BOX is well worth every single penny for those who want security protection for all of their devices, including smart home gadgets, plus antivirus for PCs, Mac and Android.

Other Quick Ways (Manual) to Protect your IoT Devices

Meanwhile, there are some typical manual ways that you should consider to protect your smart device from being hacked. You can follow these simple steps:

1. Change Default Passwords: If you have got any internet-connected device at home or work, change your credentials if it still uses default ones. Changing those passwords periodically is also not a bad idea.

2. Disable Universal Plug-and-Play (UPnP): UPnP comes enabled by default on every internet-connected device, creating a hole in your router's security that could allow malware to infiltrate any part of your local network. So, check for "Universal Plug and Play" features and turn them OFF.

3. Disable Remote Management through Telnet: Go into your router's settings and disable Remote Management Protocol, specifically through Telnet, because this protocol is used for allowing one computer to control another from a remote location. It has also been used in previous Mirai attacks.

4. Check for Software Updates and Patches: Last but not the least, always keep your internet-connected devices and routers up-to-date with the latest vendor firmware.

Don't forget that it is every single customer's job in the entire IoT devices chain to be responsible for the security of their point of connection as well as beyond.

Moreover, when it comes to small-area or city-wide IoT implementations, anything connected to the Internet must be secured before bringing onto the network.

The hyper-intelligent Artificial Intelligence that helps Tony Stark by doing data analysis, charging his armor, presenting information at crucial times and doing other business operations.

That's right — we are talking about J.A.R.V.I.S., Iron Man's personal assistant.

We all dream of having one of its kinds, and even Facebook's Founder and CEO Mark Zuckerberg has ambitions to live more like Iron Man's superhero Tony Stark.

While disclosing his 2016 resolution via a Facebook post on Sunday, Zuckerberg revealed that he is planning to build his own Artificial Intelligence to help him run his home and assist him at office — similar to Iron Man's digital butler Edwin Jarvis.

"You can think of it kind of like Jarvis in Iron Man," Zuckerberg wrote in his Facebook post. "I'll start teaching it to understand my voice to control everything in our home — music, lights, temperature and so on."

"I'll teach it to let friends in by looking at their faces when they ring the doorbell. I’ll teach it to let me know if anything is going on in (daughter) Max’s room that I need to check on when I'm not with her. On the work side, it’ll help me visualize data in VR to help me build better services and lead my organizations more effectively."

But you do not expect to run your own house and office with Facebook-branded Artificial Intelligence anytime soon. As, Zuckerberg said that he is building the robot for himself that works for the way his home is configured, not yours.

Other major technology companies, like Microsoft and Google, have also been doing more with Artificial Intelligence and Deep Learning in the past few years as well.

However, if the tech billionaire would be successful in creating a real-world Jarvis, then it would definitely take smart-home technology to the new heights.